iec 61508 assessment - exida€¦ · 4.2 assessment level ... (parts 1 - 7): 2010 electronic...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

idae®

IEC 61508 Functional Safety Assessment

Project:

Acoustic Detector Analog Output

Customer:

Detector Electronics Corp. Minneapolis, MN

USA

Contract No.: Q12/01-022 Report No.: DET12/01-022 R001

Version V1, Revision R1, July 31, 2013

Dave Butler

© exida DET 12-01-022 R001 V1 R1 Assessment Report.doc, July 31, 2013

T-034 V2R1 www.exida.com of 17

Management Summary

This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the Acoustic Detector Analog Output.

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Detector Electronics Corp. through an audit and creation of a detailed safety case against the requirements of IEC 61508.

- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed the manufacturing quality system in use at Detector Electronics Corp.

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL

2. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseWB tool, and used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed.

The results of the Functional Safety Assessment can be summarized by the following statements:

The Acoustic Detector Analog Output was found to meet the requirements of SIL 2. The PFDAVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function.

The manufacturer will be entitled to use the Functional Safety Logo.

The manufacturer

may use the mark:



Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project management .................................................................................................. 5

2.1 exida ............................................................................................................................ 5

2.2 Roles of the parties involved ........................................................................................ 5

2.3 Standards / Literature used .......................................................................................... 5

2.4 Reference documents .................................................................................................. 5

2.4.1 Documentation provided by Detector Electronics Corp. ..................................... 5

2.4.2 Documentation generated by exida ................................................................... 7

3 Product Description ................................................................................................... 8

4 IEC 61508 Functional Safety Assessment ................................................................. 9

4.1 Methodology ................................................................................................................ 9

4.2 Assessment level ......................................................................................................... 9

4.3 Product Modifications ................................................................................................. 10

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 11

5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 11

5.1.1 Functional Safety Management ....................................................................... 11

5.1.2 Safety Requirements Specification and Architecture Design ............................ 11

5.1.3 Hardware Design ............................................................................................. 12

5.1.4 Software (Firmware) Design ............................................................................ 12

5.1.5 Validation ......................................................................................................... 12

5.1.6 Verification ....................................................................................................... 13

5.1.7 Modifications ................................................................................................... 13

5.1.8 User Documentation ........................................................................................ 14

5.2 Hardware Assessment ............................................................................................... 15

6 Terms and Definitions .............................................................................................. 16

7 Status of the document ............................................................................................ 17

7.1 Liability ....................................................................................................................... 17

7.2 Releases .................................................................................................................... 17

7.3 Future Enhancements ................................................................................................ 17

7.4 Release Signatures .................................................................................................... 17



1 Purpose and Scope

This document shall describe the results of the IEC 61508 functional safety assessment of the Detector Electronics Corp.:

Acoustic Detector Analog Output (consists of one Model AC100 Sensor and one Model ATX10 Transmitter)

by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this assessment provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.



2 Project management

2.1

exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts

from assessment organizations and manufacturers, exida is a global company with offices around

the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety

certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the parties involved

Detector Electronics Corp. Manufacturer of the Acoustic Detector Analog Output

exida Performed the hardware assessment

exida Performed the IEC 61508 Functional Safety Assessment

Detector Electronics Corp. contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): 2010

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Detector Electronics Corp.

ID Project Document Ver. Date

D001 POL Quality Management System Manual 99-1117 AF-2687.doc AF

D003 POL Product Development Procedure F-82.doc F

D004 PRC Software Configuration Management A-236.doc A

D006 WRK RMI Request Procedure C-3080.doc C

D006b DEC RMI Request Form.doc

D007 POL Supplier Selection, Evaluation and Management G-72.docx G

D010 POL ECO Process H-80.doc H

D012 POL Nonconforming Product-Deviation C-49.doc C

D013 POL Corrective Action And Preventive Action D-95.doc D




D016 PRC Product Software Issue Tracking A-237.doc A

D019 POL Product Life Cycle Management B-132.doc B

D019b POL Product Recall & Field Update Procedure C-136.doc C

D021 PRC Software Development D-85.docx D

D023b TMP Impact Analysis Template A-3144.doc A

D026 Acoustic_v-01_FSM_2013FEB.pdf

D032 AC100 Training Plan 1.3.pdf 1.3 7/9/2013

D036 ISO 9001_2011_11.pdf

D040 Acoustic Detector_v.001_SRS_2013JUL11.pdf

7/11/2013

D045 Arch Spec AC100 Acoustic Detector - 300331-001 - v1.1.pdf v1.1 3/8/2013

D047 AcousticDetectorSchematics.pdf

D051 AC100_SDS_19Jul13_0105.doc A 1.05 7/1/2013

D053b AC100 Software Review 9_21_2010.doc

D053c IS Design Discussion.doc

D058 ATX10 Code Review 071913.pdf

D059 Acoustic Fault Injection List_Test data, v01, 2013FEB20.xlsx

D060 300179 SW Style Guide Rev B.doc

D061 std.lnt

D062 ATX10_LINT.TXT

D066 ATX10 Module Test Results_0002.docx

D069 AC100, ATX10 Validation Test Plan_v001, 2013JUL31.pdf 1 7/31/2013

D074 Acoustic Validation Test Results, v-01, 2013JUL19.xlsx v-01 7/19/2013

D074b Acoustic FW Changes Summary, v-01, 2013MAR03.docx v-01 3/3/2013

D075 AC 3038-02, Marine Environ. Testing, 2012DEC-Red.pdf

D078 95-8657-2.2 (AC100_ATX10).pdf 2.2

D079 95-8658-1.2 (AC100_ATX10 Safety), 2013JUN28.pdf

D086b Software Tools HAZOP, Acoustic, v-01, 2013JUL17.docx

D087 011353-001_B.mot.sha1; 012385-001_A.ldr.sha1;

D088 IAF, AC100, ATX10_Initial, 2013FEB, Ver1.0.docx

D089 Det-tronics Acoustic Detector project SW Hazop Report Update.docx

7/10/2013

D090 Acoustic Detector, Safety Comm. Report_2012NOV20.xlsx

D091 SIL Checklist, Acoustic V-001, Initial, 2012APR.pdf




D091b Acoustic V-01 Final Review Meeting Minutes_2013MAR.pdf

D092 097-RPT.CAL.pdf

D093 Detronics AC100 Transcribed-ScannedNotes from WMG visit in Jan 2013.pdf

D094 Acoustic Initial v-01 SIL Serena_Approval Report, 2013MAR07.pdf

D095 Code Examples ATX10.txt

7/19/2013

D096 ATX10 source package.bmp

D097 Compiler Validation ATX10, 2013JUL17.docx

D097b ValidationOfCompliance-EWARM-441a.pdf

D098 Compiler Validation AC100, 2013JUL17.docx

D098b VisualDSP Product Release Bulletin.pdf

D099 AC100 FW Specs_v-01_2013JUL24.pdf v-01 7/24/2013

2.4.2 Documentation generated by

[R1] DET Leak Detector Safety Case IEC61508 V1R4

Safety Case File

[R2] DET 12-01-022 R001 V1 R1 Assessment Report.doc

IEC 61508 Functional Safety Assessment for Acoustic Detector Analog Output (This document)

[R3] DET 11-09-046 R001 V1 R1 AC100 FMEDA Report.pdf

FMEDA Report for the Acoustic Detector Analog Output



3 Product Description The Acoustic Detector Analog Output, as its name implies, identifies gas leaks by detecting and interpreting their acoustic signature. It consists of two modules, the AC100 proper and the ATX10. The AC100 contains the detector, an acoustic sounder to enable Acoustic Integrity testing, signal conditioning circuitry, and a digital signal processor which determines if a leak has been detected. The AC100 communicates with the ATX 10, which communicates the state of the overall system to the outside world via a current output and/or digital link. Only the current output is part of the safety function

AC100 ATX10

RS485

24V power

4-20mA

24V power

RS485

(not safety

related)

Ai

Acoustic energy

from leak

The AC100 is classified as a Type B element according to IEC 61508, having a hardware fault tolerance of 0. Defined Operational States: The normal state is defined as:

• The current output properly represents the defined acoustic signal within the safety accuracy limits;

• The current output responds to changes in the defined acoustic signal within the worst case safety response time;

• Normal limits for the 4-20mA current loop are defined as a 4-20mA output signal that corresponds to a pre-defined acoustic condition ranging from normal to full alarm.

The fault state is defined as:

• The current output is <= 3.6mA to indicate fault. The warm-up state is defined as:

• The current output = 3.0mA within the safety accuracy limits during the warm-up period.

The Acoustic Detector SIL approved firmware is listed below (see section 4.3 for modification constraints):

011353-001 Rev B, v1.00 (ATX10) and higher

012385-001 Rev A, v1.72 (AC100) and higher

The Acoustic Detector SIL approved hardware is listed below (see section 4.3 for modification constraints):

010611_002, Rev B and higher

011006_002, Rev A and higher




011966_002, Rev C and higher




4 IEC 61508 Functional Safety Assessment

The IEC 61508 Functional Safety Assessment was performed based on the information received from Detector Electronics Corp. and is documented in the safety case database [R1].

4.1 Methodology

The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report (e.g. software development requirements for a product with no software).

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

Product design

o Hardware architecture and failure behavior, documented in a FMEDA

o Software architecture and failure behavior, documented in a Software Criticality and HAZOP report

The review of the development procedures and documentation is described in section 5.1, Lifecycle Activities and Fault Avoidance Measures. The review of the product design is described in section 5.2, Hardware Assessment.

4.2 Assessment level

The Acoustic Detector Analog Output has been assessed per IEC 61508 to the following levels:

Systematic Safety Integrity: SIL 2 capable



Random Safety Integrity: PFDAVG and Architectural Constraints must be verified for each application.

The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of SIL 2 according to IEC 61508.

4.3 Product Modifications

Detector Electronics Corp. may make modifications to this product as needed. Modifications shall be classified into two types:

Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions.

Type 2 Modification: Changes allowed to be made by Detector Electronics Corp. provided that:

A competent person from Detector Electronics Corp., appointed and agreed with exida, judges and approves the modifications. A Compliance Engineer is currently approved by

exida to fulfill this role.

The modification documentation listed below is submitted prior to a renewal of the

certification to exida for review of the decisions made by the competent person with respect to the modifications made.

o List of all anomalies reported

o List of all modifications completed

o Safety impact analysis which shall indicate with respect to the modification:

The initiating problem (e.g. results of root cause analysis)

The effect on the product / system

The elements/components that are subject to the modification

The extent of any re-testing

o List of modified documentation

o Regression test plans



5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Detector Electronics Corp. during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development of the Acoustic Detector Analog Output was done per this IEC 61508 SIL 2 compliant development process. The Safety Case was updated with project specific design documents.

5.1 Lifecycle Activities and Fault Avoidance Measures

Detector Electronics Corp. has an IEC 61508 compliant development process as assessed during this IEC 61508 certification. This compliant development process is documented in [N1].

This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 2 work scope of the development team. The result of the assessment can be summarized by the following observations:

The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 2.

5.1.1 Functional Safety Management

FSM Planning The functional safety management of this Detector Electronics Corp. product’s development is governed by [D026], which is a template for a Functional Safety Management Plan, containing boilerplate procedures for certain required actions. It also contains structure and format so that the plan can be tailored and adapted to the particular project on which it is used. The Functional Safety Management Plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management.

Version Control All documents are under version control as required by [D004].

Training, Competency recording Competency is ensured by the creation of a competency and training matrix for the project [D032]. The matrix lists all of those on the project who are working on any of the phases of the safety lifecycle. Specific competencies for each person are listed on the matrix which is reviewed by the project manager. Any deficiencies are then addressed by updating the matrix with required training for the project.

5.1.2 Safety Requirements Specification and Architecture Design

As defined in [D003], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. For the Acoustic Detector Analog Output, the requirements specification [D040] contains a system overview section, a System Safety Strategy section, and one or more sections containing the safety requirements for the product. During the assessment,

exida reviewed the content of the specification for completeness per the requirements of IEC 61508.



Requirements are tracked throughout the development process by the creation of a series of traceability matrices which are included in [D069]. The system requirements are broken down into derived hardware and software requirements which include specific safety requirements. Traceability matrices show how the safety requirements map to and from the derived requirements and validation tests.

Requirements from IEC 61508-2, Table B.1 that have been met by Detector Electronics Corp. include project management, documentation, structured specification, inspection of the specification, and checklists.

5.1.3 Hardware Design

Hardware design, including both electrical and mechanical design, is done according to [D003]. The hardware design process includes creating a hardware architecture specification, a peer review of this specification, creating a detailed design, a peer review of the detailed design, component selection, detailed drawings and schematics, a Failure Modes, Effects and Diagnostic Analysis (FMEDA), electrical unit testing, fault injection testing, and hardware verification tests.

Requirements from IEC 61508-2, Table B.2 that have been met by Detector Electronics Corp. include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools and inspection of the specification. This is also documented in [R01]. This meets the requirements of SIL 2.

5.1.4 Software (Firmware) Design

Software (firmware) design is done according to [D021]. The software design process includes software architecture design and peer review, detailed design and peer review, code reviews, static source code analysis and unit testing.

Requirements from IEC 61508-3, Table A.2 that have been met by Detector Electronics Corp. include modular approach, structured diagrammatic methods, time-triggered architecture design.

Requirements from IEC 61508-3, Table A.3 that have been met by Detector Electronics Corp. include suitable programming language, strongly typed programming language, and tools and translators: increased confidence from use.

Requirements from IEC 61508-3, Table A.4 that have been met by Detector Electronics Corp. include structured and semi-formal methods, modular approach, design and coding standards and structured programming.

This is also documented in [R01]. This meets the requirements of SIL 2.

5.1.5 Validation

Validation Testing is done via a set of documented tests. The validation tests are traceable to the Safety Requirements Specification [D040], in the validation test plan [D069]. The traceability matrices show that all safety requirements have been validated by one or more tests. In addition to standard Test Specification Documents, third party testing is included as part of the validation testing. All non-conformities are documented in a change request and procedures are in place for corrective actions to be taken when tests fail as documented in [D003].



Requirements from IEC 61508-2, Table B.5 that have been met by Detector Electronics Corp. include functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, project management, documentation,4 expanded functional testing and black-box testing.

Requirements from IEC 61508-3, Table A.7 that have been met by Detector Electronics Corp. include functional and black box testing.

[R01] documents more details on how each of these requirements has been met. This meets SIL 2.

5.1.6 Verification

Verification activities are built into the standard development process as defined in [D003]. Verification activities include the following: Fault Injection Testing, static source code analysis, module testing, integration testing, FMEDA, peer reviews and both hardware and software unit testing. In addition, safety verification checklists are filled out for each phase of the safety lifecycle. This meets the requirements of IEC 61508 SIL 2.

Requirements from IEC 61508-2, Table B.3 that have been met by Detector Electronics Corp. include functional testing, project management, documentation, and black-box testing.

Requirements from IEC 61508-3, Table A.5 that have been met by Detector Electronics Corp. include dynamic analysis and testing, data recording and analysis, functional and black box testing, and test management and automation tools.

Requirements from IEC 61508-3, Table A.6 that have been met by Detector Electronics Corp. include functional and black box testing.

Requirements from IEC 61508-3, Table A.9 that have been met include static analysis and dynamic analysis and testing.

[R01] documents more details on how each of these requirements has been met. This meets the requirements of SIL 2.

5.1.7 Modifications

Modifications are done per the Detector Electronics Corp.’s change management process as documented in [D004] and [D026]. Impact analyses are performed for all changes once the product is released for integration testing. The results of the impact analysis are used in determining whether to approve the change. The standard development process as defined in [D003] is then followed to make the change. The handling of hazardous field incidents and customer notifications is governed by [D078] and [D079]. This procedure includes identification of the problem, analysis of the problem, identification of the solution, and communication of the solution to the field. This meets the requirements of IEC 61508 SIL 2.

Requirements from IEC 61508-3, Table A.8 that have been met by the Detector Electronics Corp. modification process include impact analysis, reverify changed software modules, reverify affected software modules, revalidate complete system or regression validation, software configuration management and data recording and analysis.



5.1.8 User Documentation

Detector Electronics Corp. created a safety manual for the Acoustic Detector Analog Output [D079] which addresses all relevant operation and maintenance requirements from IEC 61508. This safety

manual [D079] was assessed by exida, and is considered to be in compliance with the requirements of IEC 61508.

Requirements from IEC 61508-2, Table B.4 that have been met by Detector Electronics Corp. include operation and maintenance instructions, maintenance friendliness, project management, documentation, and limited operation possibilities.

[R01] documents more details on how each of these requirements has been met. This meets the requirements for SIL 2.



5.2 Hardware Assessment

To evaluate the hardware design of the Acoustic Detector Analog Output, a Failure Modes, Effects,

and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R3]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D059], and as part of the IEC 61508 assessment.

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA, failure rates are derived for each important failure category.

These results must be considered in combination with PFDAVG of other devices of a Safety Instrumented Function (SIF), in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF, using the failure rates published in the FMEDA Report.



6 Terms and Definitions

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

PFDAVG Average Probability of Failure on Demand

PFH Probability of dangerous Failure per Hour

SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

HART Highway Addressable Remote Transducer

AI Analog Input

AO Analog Output

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2



7 Status of the document

7.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases

Version: V1

Revision: R1

Version History: V1, R1: Released the client manufacturer-reviewed version.

V0, R1: Fixed some review issues.

V0, R0: Initial version for draft review.

Authors: Dave Butler

Review: V0, R0: Griff Francis

Release status: Released

7.3 Future Enhancements

At request of client.

7.4 Release Signatures

John C. Yozallinas, CFSE – Senior Safety Engineer

David E. Butler, CFSE – Safety Engineer